Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Ian Batten igb at batten.eu.org
Mon Aug 2 14:40:24 BST 2010 

On 2 Aug 2010, at 14:25, Clive D.W. Feather wrote:

> Ian Batten said:
>>> The server, as in a dedicated host offering professional services
>>> should
>>> protect itself against anything the "internet" throws against it,
>> Except that's both contrary to the law in every other field, and
>> incredibly elitist.
>
> I disagree with you and agree with the intent of the statement.
>
> A URL is a string of (to a first approximation) printable  
> characters. A web
> server should be able to handle any string of printable characters  
> in the
> URL field of the GET request and do something sensible with it. This  
> might
> be a 403 or a 404, but it shouldn't be accessing files that it's not
> supposed to return to the user and it shouldn't do anything  
> unauthorized.

Sure, and as an engineer I agree with you.  And my immediate reaction  
was that the Cuthbert case was an over-reaction, and I think the  
precise details of the case make for a tangential discussion.   I'm  
very, very nervous about the idea that somehow attempting to break  
into computer systems should have a defence of (in essence) "had they  
wanted to secure it they should have done a better job" when that is  
not the case with any analogous crime.  It smacks of blame the victim.

A door lock should be able to cope with any key being inserted and  
only open when the correct one is used, but wandering around with a  
set of lock picks is liable to get you prosecuted for "going  
equipped", and attempting to actually use them would be a further crime.

If I lock my front door with a hypothetic one-lever lock that can be  
picked in a second while wearing boxing gloves, that might cause  
people to be less sympathetic when my house gets broken into and might  
lead to an interesting conversation with my insurance company if I  
tried to claim; it would not, however, be a defence for the burglar to  
say that it was my fault for not fitting a better lock.

Similarly bike locks, car alarms, etc: if I want to prevent the thing  
being stolen, it behoves me to use security measures suitable for the  
job, because having your stuff stolen is a pain.  If I want my  
insurance to compensate me, they will set a minimum level of  
protection they expect me to use, and will potentially give me a  
discount for having more (my car has a magic-string-of-letters  
accredited immobiliser, and that's worth a few quid off the insurance).

However, whether I take those precautions or not is not at issue when  
someone is prosecuted - it's not a bigger offence to steal a bike  
secured with a bloody great big Kryptonite chain than it is to steal a  
bike secured with a lock from Poundland.

ian

More information about the ukcrypto mailing list